Sep 24 2018

Will the government get mug shots of all air travelers?

The dispute over government-mandated biometric identification of travelers through automated facial recognition continues to sharpen.

ID document requirements for air travel have been imposed on a de facto basis by DHS administrative fiat without ever having been approved by Congress or authorized by law.

In a similar way, requirements for US citizens to submit to mug shots — either by components of the Department of Homeland Security or by airlines, airport operators, or contractors who share photos with DHS — are being imposed on a growing scale without any Congressional debate or statutory  basis.

Last week the World Privacy Forum submitted a petition for rulemaking asking the DHS to “provide formal notice and solicit public comments pursuant to the Administrative Procedure Act” before proceeding with further “trials” of biometric identification of travelers:

The biometric entry and exit program requires new information collections and uses from CBP, TSA, and additional non-governmental information collection by the airlines. Moreover, the consequences for all the individuals affected by this new procedure are profound and not limited solely to use by CBP itself. First, other government agencies will also use the biometric data. Second, biometric information collected by the airlines and held in their possession does not fall under the protections of the Privacy Act of 1974 . The airlines, even though they are presumably collecting biometric information for use by CBP, can subsequently use the information for secondary purposes unrelated to the CBP.

All of these matters create new, significant intrusions on privacy and create meaningful changes that impose upon millions of members of the public to a degree that requires notice-and-comment rulemaking….

The time for notice and comment under the APA is right now, not later. It is already late, and an expanded Phase II pilot should not proceed further without a public notice and comment period . II. The biometric entry and exit program constitutes a meaningful, nation-wide implementation, and no longer qualifies as a “pilot ” or technical demonstration. The biometric entry and exit program, which CBP describes as a “technical demonstration”…, is currently in 16 total US airports….  In 2018, the program is set to roll out to all US airports with international flights….

The CBP entry and exit program can no longer reasonably be described as merely a pilot or demonstration project….  DHS has deployed the technology now for several years, and plans to deploy it in 2018 in every airport in the US with international flights. This is not what a pilot test looks like.

Meanwhile, DHS is trying to sneak provisions through Congress this week as part of an omnibus aviation bill that appear to be intended to substitute a one-sided internal study by DHS of biometric identification of travelers for public consultation on the issue.

Section 1919 (beginning at page 969 of the 1205-page bill) of the version of the FAA Reauthorization Act, H.R. 302, scheduled to be voted on this week, would require DHS to prepare and publish a report within the next 9  months on, among other aspects of biometric identification of travelers:

(C) A description of the process by which 5 domestic travelers are able to opt-out of scanning using biometric technologies.

(D) A description of —

(i) what traveler data is collected through scanning using biometric technologies, what agencies have access to such data, and how long the agencies possess such data;

(ii) specific actions that the Department and other relevant Federal departments and agencies take to safeguard such data; and

(iii) a short-term goal for the prompt deletion of the data of individual United States citizens after such data is used to verify traveler identities

These provisions appear intended to provide reassurance to the traveling public and political cover for members of Congress that privacy issues are being “considered,” but without actually doing anything to protect the public or rein in the DHS.

The biometric ID provisions of the FAA reauthorization Act, in their latest form, wouldn’t give any new authority to the DHS or legalize the current violations of travelers rights (even if they could override the US Constitution or international human rights treaties, which they can’t). But neither would this bill place any new restrictions on DHS practices. All it would require is a report, to be prepared internally by DHS while deployment of DHS-linked automated facial recognition at airports throughout the US continues.

The report would have to discuss “the process by which domestic travelers are able to opt-out of scanning using biometric technologies.” But it’s not clear whether by “domestic travelers” it intends to mean “travelers on domestic flights within the US, ” or “US persons (US citizens and permanent residents),” or both. Even in a hasty last-minute amendment to an omnibus bill, it seems unlikely that this ambiguity is accidental. And there’s no mandate that there be any opt-out, only for DHS to report on whether there is.

Even more significantly, there’s no mention in the bill, much less a requirement for the DHS report to consider, one of the largest risks in the current biometric ID programs: the complete lack of any restrictions on how airlines, airport operators, and other commercial third parties use or disclose data collected under government mandate.

Biometric identification of travelers, especially through automated facial recognition, isn’t just a surveillance tool that is already being used to track and log our movements.  Identification of travelers is the key prerequisite to permission-based controls on who is, and who is not, allowed to travel. Consent to be identified by the government whenever and wherever we go is consent to have the government decide whether, when, and where we are allowed to go.

Where does that lead us? We have only to look to China, where the world’s most extensive deployment of automated facial recognition is coupled with systematic government control of domestic and international travel based on databases of transactional and movement-tracking data about each individual.

What the US government calls “risk assessment” scores are called “social credit” scores by the Chinese government. The predictable result of predictive profiling is to restrict the movements of critics of the government. Here’s what happens to dissidents once these identification and control mechanisms are integrated into travel infrastructure:

The social credit system has closed down his travel options and kept him under effective house arrest in his hometown of Chongqing

In an apartment above the streets of Chongqing city, Hu tries to use a phone app to book train tickets to Xi’an. The attempt is rejected.

“[The app] says it fails to make a booking and my access to high-speed rail is legally restricted,” he explains.

Don’t let it happen here. Say no to documentary and biometric ID requirements for travel.